Miredo: Teredo IPv6 tunneling for Linux and BSD

Security Advisory 0703

Summary           : Teredo client packets sent to arbitrary address
Date              : 01 June 2007
Affected versions : Miredo, all versions
Miredo-specific   : No
Impact            : None immediate
CVE ID            : CVE-2006-6266 (candidate)
ID                : MTFL-SA-0703

Details

Teredo clients, when following item 6 of RFC4380 section 5.2.3, start direct IPv6 connectivity tests (aka ping tests) in response to packets from non-Teredo source addresses, which might allow remote attackers to induce Teredo clients to send packets to third parties.

Impact

An attacker can induce a Teredo client into a rate-limited quantity of small fixed-size IPv6 packets to an arbitrary (third party or unassigned) address.

IPv6 connectivity tests are a design feature of the Teredo protocol. They pose no more threat that sending spoofed TCP/SYN packet to an open port on any server, or a spoofed ICMPv6 Echo request, to trick an IPv6 node into sending packets to an arbitrary third party.

Threat mitigation

IPv6 connectivity tests are rate-limited per IPv6 address, and do not provide a significant rate of traffic amplification to be of much use and interest to attackers.

Workarounds

None. None needed.

Solution

This vulnerability is considered a non-issue, and cannot be “fixed” due to the very design of the Teredo protocol.

Credits

Jim Hoagland has published this issue in his Teredo security report.

Some of this page content is copied from the CVE MITRE database.

References

Report on Teredo security
http://www.symantec.com/avcenter/reference/Teredo_Security.pdf

History

01 June 2007
Initial detailled security advisory
29 November 2006
Report published by Jim Hoagland
28 November 2006
Private notification from Jim Hoagland